Monitors if the iSCSI target port has a firewall exclusion rule set
This monitor checks the configuration of inbound firewall rules for the iSCSI Target Service and generates an alert if the iSCSI port is blocked. The monitor checks for TCP port 3260 by default although this can be changed by an override on the monitor if required.
If the inbound port is not enabled, no remote iSCSI initiators will be able to connect to the server and iSCSI disks will not be available for use.
If the health state is unknown, monitoring has either not begun or the monitor may have been disabled for this object.
This monitor can be unhealthy for the following reasons:
Windows Firewall is not running.
An inbound TCP firewall rule for the iSCSI target is not set.
The default iSCSI target port (3260) was changed and the monitor has not been updated to probe the new port.
Determine if Windows Firewall is enabled
To determine if Windows Firewall is enabled, use the following procedure on the affected server:
At an elevated command prompt on the affected server, type: sc query mpssvc and press ENTER.
If Windows Firewall is not running, type the following command: net start mpssvc.
Determine if firewall rules are enabled
To determine if the firewall rules for the ports are enabled, use the following procedure on the affected server:
Open Control Panel on the affected server, click System and Security, and then click Windows Firewall.
In the left pane, click Advanced Settings and then click Inbound Rules.
Verify that the Microsoft iSCSI Software Target Service (TCP-In) rule is enabled and that Action is set to Allow.
Verify that the correct TCP port (3260 by default) is specified in the rule.
If firewall rules are not enabled, click the applicable rule, and on the Action menu, click Enable Rule.
This monitor automatically resets to a Healthy state after you resolve the issue although there may be a long delay as the monitor does not perform this check frequently. To force the monitor to reset and check the state again, select the monitor from Health Explorer and click Reset Health.
Update the monitor configuration
If the iSCSI Target has been configured to use a non-default port, follow the configuration steps in the management pack guide to update the monitor configuration with the new port number.
| Target | Microsoft.Windows.FileServices.Service.iSCSITarget.10.0 | ||
| Parent Monitor | System.Health.ConfigurationState | ||
| Category | ConfigurationHealth | ||
| Enabled | True | ||
| Alert Generate | True | ||
| Alert Severity | MatchMonitorHealth | ||
| Alert Priority | Normal | ||
| Alert Auto Resolve | True | ||
| Monitor Type | Microsoft.Windows.FileServices.Service.iSCSITarget.10.0.FirewallCheck | ||
| Remotable | False | ||
| Accessibility | Public | ||
| Alert Message |
| ||
| RunAs | Microsoft.Windows.FileServices.MonitoringAccount |
Home
<UnitMonitor ID="Microsoft.Windows.FileServices.Service.iSCSITarget.10.0.FirewallSettings" Accessibility="Public" Enabled="true" Target="Microsoft.Windows.FileServices.Service.iSCSITarget.10.0" ParentMonitorID="SystemHealth!System.Health.ConfigurationState" Remotable="false" TypeID="Microsoft.Windows.FileServices.Service.iSCSITarget.10.0.FirewallCheck" ConfirmDelivery="false" RunAs="FileServices!Microsoft.Windows.FileServices.MonitoringAccount">
<Category>ConfigurationHealth</Category>
<AlertSettings AlertMessage="Microsoft.Windows.FileServices.Service.iSCSITarget.10.0.FirewallSettings.AlertMessage">
<AlertOnState>Error</AlertOnState>
<AutoResolve>true</AutoResolve>
<AlertPriority>Normal</AlertPriority>
<AlertSeverity>MatchMonitorHealth</AlertSeverity>
<AlertParameters>
<AlertParameter1>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</AlertParameter1>
</AlertParameters>
</AlertSettings>
<OperationalStates>
<OperationalState ID="FirewallConfigured" MonitorTypeStateID="FirewallPortOpen" HealthState="Success"/>
<OperationalState ID="FirewallNotConfigured" MonitorTypeStateID="FirewallPortNotOpen" HealthState="Error"/>
</OperationalStates>
<Configuration>
<IntervalSeconds>7200</IntervalSeconds>
<SyncTime/>
<TimeoutSeconds>300</TimeoutSeconds>
<PortNumber>3260</PortNumber>
</Configuration>
</UnitMonitor>